fix(sandbox): allow first-label L7 host wildcards (#1304)

mjamiv · johntmyers · web-flow · commit 528fb29147a2 · 2026-05-21T09:32:37.000-07:00
* fix(sandbox): allow first-label L7 host wildcards

* docs(sandbox): document L7 host wildcard contract + add OPA runtime tests

- Add Host Wildcards section to architecture/security-policy.md
  describing accepted (first-label *, **, intra-label *-X) and
  rejected (bare, TLD, non-first-label, recursive-in-label) forms,
  and noting that wildcards never cross '.' boundaries.
- Expand the policy-schema.mdx 'host' field description to reflect
  the same contract instead of only mentioning '*.example.com'.
- Add OPA runtime tests asserting '*-aiplatform.googleapis.com'
  matches 'us-central1-aiplatform.googleapis.com' and does not match
  'us-central1.aiplatform.googleapis.com' (cross-dot boundary). Locks
  validator/runtime alignment for intra-label wildcards.

* chore: update mise lockfile

* test(server): tolerate serialized inference upserts

---------

Co-authored-by: John Myers &lt;9696606+johntmyers@users.noreply.github.com&gt;
diff --git a/architecture/security-policy.md b/architecture/security-policy.md
@@ -36,6 +36,27 @@ Ordinary network traffic follows this order:
 Explicit deny and hardening checks win over allow rules. If no rule matches, the
 request is denied.
 
+## Host Wildcards
+
+Network endpoint `host` patterns accept a `*` wildcard inside the first DNS
+label only. The OPA runtime matches with a `.` label boundary, so a wildcard
+never spans dots. The validator enforces the same boundary so that policy load
+fails fast instead of silently mismatching at the proxy.
+
+| Pattern | Accepted | Example match | Notes |
+|---|---|---|---|
+| `*.example.com` | Yes | `api.example.com` | Single first label of any value. |
+| `**.example.com` | Yes | `a.b.example.com` | Recursive wildcard as the entire first label. |
+| `*-aiplatform.googleapis.com` | Yes | `us-central1-aiplatform.googleapis.com` | Intra-label wildcard inside the first DNS label. |
+| `*` or `**` | No | — | Matches every host. |
+| `*.com`, `**.com` | No | — | TLD wildcards (`labels <= 2`). |
+| `foo.*.example.com` | No | — | Wildcard outside the first DNS label. |
+| `foo**.example.com` | No | — | Recursive `**` mixed inside a label; allowed only as the entire first label. |
+
+Validation rejects the disallowed patterns at policy load time with a message
+that names the offending host. Exact hosts and IP addresses do not use this
+path.
+
 ## TLS and L7 Inspection
 
 For HTTP endpoints that need request-level controls, the proxy can terminate TLS
diff --git a/crates/openshell-sandbox/src/l7/mod.rs b/crates/openshell-sandbox/src/l7/mod.rs
@@ -353,6 +353,43 @@ fn check_glob_syntax(pattern: &str) -> Option<String> {
     None
 }
 
+fn validate_host_wildcard(errors: &mut Vec<String>, loc: &str, host: &str) {
+    if !host.contains('*') {
+        return;
+    }
+
+    if host == "*" || host == "**" {
+        errors.push(format!(
+            "{loc}: host wildcard '{host}' matches all hosts; use specific patterns like '*.example.com'"
+        ));
+        return;
+    }
+
+    let labels: Vec<&str> = host.split('.').collect();
+    let first_label = labels.first().copied().unwrap_or_default();
+    if labels.iter().skip(1).any(|label| label.contains('*')) {
+        errors.push(format!(
+            "{loc}: host wildcard may only appear in the first DNS label, got '{host}'"
+        ));
+        return;
+    }
+    if first_label.contains("**") && first_label != "**" {
+        errors.push(format!(
+            "{loc}: recursive host wildcard '**' is only allowed as the entire first DNS label, got '{host}'"
+        ));
+        return;
+    }
+
+    // Reject TLD or single-label wildcards. They are accepted by the policy
+    // engine but silently fail at the proxy layer (see #787).
+    if labels.len() <= 2 {
+        errors.push(format!(
+            "{loc}: TLD wildcard '{host}' is not allowed; \
+             use subdomain wildcards like '*.example.com' instead"
+        ));
+    }
+}
+
 fn validate_graphql_operation_type(
     errors: &mut Vec<String>,
     loc: &str,
@@ -529,29 +566,7 @@ pub fn validate_l7_policies(data_json: &serde_json::Value) -> (Vec<String>, Vec<
                 }
             }
 
-            // Validate host wildcard patterns.
-            if host.contains('*') {
-                if host == "*" || host == "**" {
-                    errors.push(format!(
-                        "{loc}: host wildcard '{host}' matches all hosts; use specific patterns like '*.example.com'"
-                    ));
-                } else if !host.starts_with("*.") && !host.starts_with("**.") {
-                    errors.push(format!(
-                        "{loc}: host wildcard must start with '*.' or '**.' (e.g., '*.example.com'), got '{host}'"
-                    ));
-                } else {
-                    // Reject TLD wildcards like *.com (2 labels) — they are
-                    // accepted by the policy engine but silently fail at the
-                    // proxy layer (see #787).
-                    let label_count = host.split('.').count();
-                    if label_count <= 2 {
-                        errors.push(format!(
-                            "{loc}: TLD wildcard '{host}' is not allowed; \
-                             use subdomain wildcards like '*.example.com' instead"
-                        ));
-                    }
-                }
-            }
+            validate_host_wildcard(&mut errors, &loc, host);
 
             // port + ports mutual exclusion
             let has_scalar_port = ep
@@ -1793,7 +1808,27 @@ mod tests {
     }
 
     #[test]
-    fn validate_wildcard_host_no_star_dot_error() {
+    fn validate_wildcard_host_mid_label_error() {
+        let data = serde_json::json!({
+            "network_policies": {
+                "test": {
+                    "endpoints": [{
+                        "host": "foo.*.example.com",
+                        "port": 443
+                    }],
+                    "binaries": []
+                }
+            }
+        });
+        let (errors, _warnings) = validate_l7_policies(&data);
+        assert!(
+            errors.iter().any(|e| e.contains("first DNS label")),
+            "Mid-label wildcard should be rejected, got errors: {errors:?}"
+        );
+    }
+
+    #[test]
+    fn validate_wildcard_host_single_label_error() {
         let data = serde_json::json!({
             "network_policies": {
                 "test": {
@@ -1807,8 +1842,28 @@ mod tests {
         });
         let (errors, _warnings) = validate_l7_policies(&data);
         assert!(
-            errors.iter().any(|e| e.contains("must start with")),
-            "Malformed wildcard should be rejected, got errors: {errors:?}"
+            errors.iter().any(|e| e.contains("TLD wildcard")),
+            "Single-label wildcard should be rejected, got errors: {errors:?}"
+        );
+    }
+
+    #[test]
+    fn validate_wildcard_host_recursive_intra_label_error() {
+        let data = serde_json::json!({
+            "network_policies": {
+                "test": {
+                    "endpoints": [{
+                        "host": "foo**.example.com",
+                        "port": 443
+                    }],
+                    "binaries": []
+                }
+            }
+        });
+        let (errors, _warnings) = validate_l7_policies(&data);
+        assert!(
+            errors.iter().any(|e| e.contains("recursive host wildcard")),
+            "Recursive intra-label wildcard should be rejected, got errors: {errors:?}"
         );
     }
 
@@ -1876,6 +1931,54 @@ mod tests {
         );
     }
 
+    #[test]
+    fn validate_wildcard_host_double_star_valid_no_error() {
+        let data = serde_json::json!({
+            "network_policies": {
+                "test": {
+                    "endpoints": [{
+                        "host": "**.example.com",
+                        "port": 443
+                    }],
+                    "binaries": []
+                }
+            }
+        });
+        let (errors, warnings) = validate_l7_policies(&data);
+        assert!(
+            errors.is_empty(),
+            "**.example.com should be valid, got errors: {errors:?}"
+        );
+        assert!(
+            warnings.is_empty(),
+            "**.example.com should not warn, got warnings: {warnings:?}"
+        );
+    }
+
+    #[test]
+    fn validate_wildcard_host_intra_label_valid_no_error() {
+        let data = serde_json::json!({
+            "network_policies": {
+                "test": {
+                    "endpoints": [{
+                        "host": "*-aiplatform.googleapis.com",
+                        "port": 443
+                    }],
+                    "binaries": []
+                }
+            }
+        });
+        let (errors, warnings) = validate_l7_policies(&data);
+        assert!(
+            errors.is_empty(),
+            "*-aiplatform.googleapis.com should be valid, got errors: {errors:?}"
+        );
+        assert!(
+            warnings.is_empty(),
+            "*-aiplatform.googleapis.com should not warn, got warnings: {warnings:?}"
+        );
+    }
+
     #[test]
     fn validate_port_and_ports_mutually_exclusive() {
         let data = serde_json::json!({
diff --git a/crates/openshell-sandbox/src/opa.rs b/crates/openshell-sandbox/src/opa.rs
@@ -3991,6 +3991,69 @@ network_policies:
         assert!(!decision.allowed, "Wildcard host on wrong port should deny");
     }
 
+    #[test]
+    fn wildcard_host_intra_label_matches() {
+        // First-label intra-label wildcard: `*` matches the variable prefix
+        // within a single DNS label. Locks validator/runtime alignment for
+        // the pattern accepted by `validate_host_wildcard`.
+        let data = r#"
+network_policies:
+  intra_label:
+    name: intra_label
+    endpoints:
+      - { host: "*-aiplatform.googleapis.com", port: 443 }
+    binaries:
+      - { path: /usr/bin/curl }
+"#;
+        let engine = OpaEngine::from_strings(TEST_POLICY, data).unwrap();
+        let input = NetworkInput {
+            host: "us-central1-aiplatform.googleapis.com".into(),
+            port: 443,
+            binary_path: PathBuf::from("/usr/bin/curl"),
+            binary_sha256: "unused".into(),
+            ancestors: vec![],
+            cmdline_paths: vec![],
+        };
+        let decision = engine.evaluate_network(&input).unwrap();
+        assert!(
+            decision.allowed,
+            "*-aiplatform.googleapis.com should match us-central1-aiplatform.googleapis.com: {}",
+            decision.reason
+        );
+    }
+
+    #[test]
+    fn wildcard_host_intra_label_does_not_cross_dot() {
+        // `glob.match(..., ["."])` treats `.` as a label boundary that `*`
+        // cannot cross. `*-aiplatform.googleapis.com` must not match a host
+        // whose first label is `us-central1` and where `aiplatform` is a
+        // separate label.
+        let data = r#"
+network_policies:
+  intra_label:
+    name: intra_label
+    endpoints:
+      - { host: "*-aiplatform.googleapis.com", port: 443 }
+    binaries:
+      - { path: /usr/bin/curl }
+"#;
+        let engine = OpaEngine::from_strings(TEST_POLICY, data).unwrap();
+        let input = NetworkInput {
+            host: "us-central1.aiplatform.googleapis.com".into(),
+            port: 443,
+            binary_path: PathBuf::from("/usr/bin/curl"),
+            binary_sha256: "unused".into(),
+            ancestors: vec![],
+            cmdline_paths: vec![],
+        };
+        let decision = engine.evaluate_network(&input).unwrap();
+        assert!(
+            !decision.allowed,
+            "*-aiplatform.googleapis.com must NOT match us-central1.aiplatform.googleapis.com \
+             (would cross a `.` boundary)"
+        );
+    }
+
     #[test]
     fn wildcard_host_multi_port() {
         let data = r#"
diff --git a/crates/openshell-server/src/inference.rs b/crates/openshell-server/src/inference.rs
@@ -1113,7 +1113,9 @@ mod tests {
         let result1 = handle1.await.unwrap();
         let result2 = handle2.await.unwrap();
 
-        // One should succeed with MustCreate, the other should fail
+        // If both tasks observe a missing route before either insert commits, MustCreate
+        // should let exactly one win. If the scheduler serializes them, the second call
+        // may legitimately observe the new route and take the update path.
         let successes = [&result1, &result2].iter().filter(|r| r.is_ok()).count();
         let failures = [&result1, &result2]
             .iter()
@@ -1127,22 +1129,40 @@ mod tests {
             })
             .count();
 
-        assert_eq!(
-            successes, 1,
-            "exactly one create should succeed, got: {result1:?}, {result2:?}"
-        );
-        assert_eq!(
-            failures, 1,
-            "exactly one create should fail, got: {result1:?}, {result2:?}"
+        assert!(
+            successes == 1 || successes == 2,
+            "one racing create should succeed, or both serialized upserts should succeed, got: {result1:?}, {result2:?}"
         );
+        if successes == 1 {
+            assert_eq!(
+                failures, 1,
+                "the losing racing create should fail, got: {result1:?}, {result2:?}"
+            );
+        } else {
+            assert_eq!(
+                failures, 0,
+                "serialized upserts should not fail, got: {result1:?}, {result2:?}"
+            );
+            let mut versions = [&result1, &result2]
+                .into_iter()
+                .map(|result| result.as_ref().expect("success").route.version)
+                .collect::<Vec<_>>();
+            versions.sort_unstable();
+            assert_eq!(
+                versions,
+                vec![1, 2],
+                "serialized create-then-update should return versions 1 and 2"
+            );
+        }
 
-        // Only one route should exist
+        // Only one route should exist.
         let route = store
             .get_message_by_name::<InferenceRoute>(CLUSTER_INFERENCE_ROUTE_NAME)
             .await
             .expect("fetch")
             .expect("route should exist");
-        assert_eq!(route.version, 1);
+        let expected_version = if successes == 1 { 1 } else { 2 };
+        assert_eq!(route.version, expected_version);
     }
 
     #[tokio::test]
diff --git a/docs/reference/policy-schema.mdx b/docs/reference/policy-schema.mdx
@@ -152,7 +152,7 @@ Each endpoint defines a reachable destination and optional inspection rules.
 
 | Field | Type | Required | Description |
 |---|---|---|---|
-| `host` | string | Yes | Hostname or IP address. Supports wildcards: `*.example.com` matches any subdomain. |
+| `host` | string | Yes | Hostname or IP address. Supports a `*` wildcard inside the first DNS label only: `*.example.com`, `**.example.com`, and intra-label patterns like `*-aiplatform.googleapis.com` are accepted; bare `*`/`**`, TLD wildcards (`*.com`), and wildcards outside the first label are rejected at load time. |
 | `port` | integer | Yes | TCP port number. |
 | `path` | string | No | Optional HTTP path glob used to select between L7 endpoints that share the same host and port. Empty means all paths. Use this when REST and GraphQL live under the same host, such as `/repos/**` and `/graphql`. |
 | `protocol` | string | No | Set to `rest` for HTTP method/path inspection, `websocket` for RFC 6455 upgrade and client text-message inspection, or `graphql` for GraphQL-over-HTTP operation inspection. WebSocket endpoints can also use GraphQL operation rules for GraphQL-over-WebSocket traffic. Omit for TCP passthrough. |
diff --git a/mise.lock b/mise.lock
